Vulnerability found:
30 April 2009


Vendor informed:
01 May 2009


Severity level:
Medium


Credits:
Richard Brain and Rolando Fuentes of ProCheckUp Ltd (www.procheckup.com)


Description:
Several vulnerabilities have been found on Activedition version 4.0.0; They arise from insufficient input filtering.
By using a specially-crafted link, and tricking the victim into clicking on it, an attacker can perform malicious attacks such as the following:

- Hijack user accounts by stealing the victim's cookies that are assigned to the victim's browser by the vulnerable website

- Hijack user accounts by injecting a "fake" html form on the html rendered by the victim's web browser

- Redirect the victim to a malicious third-party website which would perform a phishing attack to steal the user credentials or exploit a vulnerability (i.e.: buffer overflow) on the victim's web browser in order to compromise the victim's workstation

Notes:

Vulnerable Hidden Parameters:

- workflow
- liststatus
- area
- pageid

Parameters showing a type mismatch machine error:

- screen_availHeight
- screen_availWidth


Proof of concept:
http://target-domain.foo/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="x" onerror='alert(document.cookie)'&liststatus=&area=&pageid=


http://target-domain.foo/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="http://some-server.bar/images/logo_procheckup.gif&liststatus=&area=&pageid=

http://target-domain.foo/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><iframe%20src="http://www.procheckup.com" width="600%" height="300%"&liststatus=&area=&pageid=

http://target-domain.foo/activedition/aelogin.asp?status=&noreset=False&workflow=&liststatus=&area=&pageid='"<script><b>User Name<b><BR><input name="user"><BR><b>Password<b><BR><input type = "password" name="pass"><button onClick="">Log in</button


Note: the previous examples were tested on IE7 and FF2.


How to fix:
Ensure all input is filtered sufficiently before being echoed back to the client. In particular, characters such as left and right angle brackets, quotation marks, apostrophes, semicolons and ampersands should be filtered. It is highly recommended to follow a white-listing input validation approach whenever possible.

Not only should the types of characters submitted be validated, but also the length of the submitted parameter value.


References:
ProCheckUp Vulnerabilities
http://www.procheckup.com/vulnerability_manager
Legal:
Copyright 2009 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.